 Thank you, Mary for starting us off next Colin will tell us about how the EU general data protection regulation Applies to genomic data and how that affects genomic data sharing Yeah, as as you said Elena I'm going to move from some of the important factors that Mary's discussed that you know could I should feed into how policy Can be made around genetic and genomic data sharing to a current hot topic Which sets factors that must be taken into account For some of the international data genomic data sharing and that's taking place between the European Union and the rest of the world And this is about how the European Union's general data protection regulation applies to some international genomic data sharing so I'm just first of all want to flag the the background to this talk, which is a year-long piece of research We've carried out at the PhD foundation in the UK Conducted with support from our national data protection authority and There is this results in a comprehensive report. So if you're looking for further detail about specific topics, I'll encourage you to head here But in this talk, I'm quickly going to attempt to describe the The issue the the nature of the European regulation and then pick up on a couple of key ways in which it applies to genomic data sharing So that's in particular its territorial scope or where in the world the GDPR applies The specific rules it sets for transfers of genomic data between the EU and the rest of the world But also some hopefully positive notes And ways ahead that we think the genomics community might be able to take to Streamline sharing within the law Okay, so first just a bit of background To the regulation for those of you who aren't familiar with this One of the reasons that this is a live issue is that this is a relatively new European regulation which applies to the processing personal or Identifiable data across all sectors of activity from the commercial social media all the way to health healthcare and genomic research And all forms of processing which is almost any operation that can be carried out with or using data So this sector of mastic regulation has not been enforced very long only a couple of years So it's taking Inevitably some time to determine how it applies in more specific and tricky contexts like genomics There are a couple of other eye-catching features So for example that the high potential finds that could be levied And some of the enhancements that the law brings through compared to the previous Versions of European data protection law, but just one other factor I think it's useful to know is that unlike previous European law these regulations based on a fundamental right to data protection and privacy And I think that's important to keep in mind because it colours how the regulation itself is interpreted going forwards Okay, so how does this regulation apply to international genomic data sharing? What are some of the issues? For the first is it's about the territorial scope of the regulation So it might be surprising For someone to learn that the GDPR isn't limited to Europe. It applies to the processing of data outside Europe Where there is some sort of sufficient link between the activities of an institution within Europe and the processing That's taking place somewhere else in the world anywhere else in the world it also applies where The processing consists of the offering goods or services. So for example and maybe sequencing and services or the monitoring of the behavior or Activities of data subjects who are at that moment in the in the European Union Whether that's for on a temporary basis or on a permanent basis For the genomic sector the implications are The regulation applies to research carried out outside of Europe if for example The research is some way being directed or controlled by an institution in Europe It's less clear how it would apply if the European partner is simply One of the number of collaborators involved, but there's the potential for the regulations to still apply there And it can also apply to the cap to capture the the monitoring or periodic updating of data held elsewhere in the world About individuals who are in Europe. So for example The updating of clinical information in a by bank in the United States So a second key a key way in which the GDPR impacts global data sharing is that it sets very specific rules Governing the transfer of personal data from Europe to the rest of the world Now these are quite a complicated set of rules, but in essence Transfers of data outside of Europe will only be lawful if a specific legal mechanism from a hierarchy of potential mechanisms can be found Yet there are lots of complications with the specific mechanisms So for example, the most commonly used mechanism has been a set of standard contract clauses agreed between the parties But there are challenges in the genomic context We know of because they have to be implemented in their entirety and sometimes public institutions in recipient countries can't agree to that within their own law and some of the options for example Transferring on the basis of a public interest or even Based on consent are interpreted as only being available in exceptional circumstances So they shouldn't be used for routine or large-scale ongoing transfers of data And then finally and what I'm flagging here on this slide is the very high standard back the court of justice of the European Union sets for Also all the transfers of data across from Europe to the rest of the world And that's what we've just had reiterated in in a shrooms to Decision the case there are I've gone on the slide Now that was a case specifically about transfers of Facebook data, but it still applies to transfers of health and genomic data as well And in that the court upheld a very high standard or a high high level of interpretation of the standard of the GDPR And for the jurisdiction of the risk data recipients So they must offer an essentially equivalent level of data protection to the European Union The way that's interpreted is it's a very high standard and it also places a big burden on the European data controllers to assess The jurisdiction they are sending data to To ensure that all the safeguards are necessary and in place So the implication is they still take a lot of time a lot of resources and it's not necessarily easy to achieve in in some contexts Thirdly and relatedly even and even in the legal mechanism for transfer can be found for example The story doesn't end there. There are many other aspects of compliance and Compliance with the rights and obligations in the GDPR that must be agreed by All the parties in in say a genomic research project So for example that that can be choosing an appropriate legal basis or determining how data subject rights should be fulfilled Again, this is complicated not only because there are some very high standards for example For consent under the GDPR, but also because there's significant scope currently for both national variation between Countries even within the European Union and their data protection authorities About how the law should be interpreted and applied And also between parties in a genomic research or similar collaboration So again, this is another case where it really significant time and resources are ever acquired And it may not always be possible to reach agreement among a range of parties And then for those who might be wondering if all this can be you know somehow avoided through Anonymizing data so that they fall outside the scope of this regulation This is also not at all straightforward with genomic data under the GDPR Because the regulation sets a broad contextual standard for identifiability Which can be very challenging for you know, what we know of are highly identifying genomic data Nor is it possible to say that removing identifiers and pseudonymizing data will be sufficient Because there's a live debate in Europe about whether that data remain personal data Okay, I don't want to just paint some kind of negative picture because our research identifies some Mitigation and ways ahead that we think the genomics community can and are taking to streamline processing The first and quite straightforwardly is a range of technical approaches Which can for example bring analysis to the data rather than sharing the personal data from Europe to the rest of the world for example But also within the regulation itself It contains and promotes some mechanisms that are designed for specific sectors And we think for example the genomics community To begin to develop consensus and establish best practice And ultimately it's possible for those codes of conduct or certification schemes to be approved and adopted And relied on by different parties to demonstrate their compliance with the regulation This will take some time though in significant effort to agree best practice standards We don't think it's a vain effort but we think it will take a lengthy period to agree codes of conduct that cover a range of processing So in the meantime, advocacy proceeds around appropriate standards for genomic data sharing And even some calls for amendment by the European Union Thank you very much, I think I've said as much as I can in a short period there